No Such Thing as Too Small to Hack

Small business owners all-too-frequently believe that they won’t be targeted by hackers because they don’t offer anything of interest to cybercriminals. Since mainstream media outlets tend to solely focus on the “spectacular” large corporate and government breaches, it’s somewhat understand that this misconception continues to fester. But that narrative may be starting to shift – at least a bit.

The U.S. Securities & Exchange Commission recently stated that SMBs are “at even greater risk, and are far more vulnerable once they are victimized.” As the volume of attacks and lucrative profits continue to grow, all business owners – from Fortune 100 companies to small family-owned businesses – need to get serious about defending their business websites from being compromised.

A 2016 Cybersecurity Ventures report says the financial toll of cybercrime is expected to double from 2015 to 2021. Even with the skyrocketing costs of cybercrime affecting every sector of the global economy, mostly only large corporations have made significant progress toward mitigating this threat. Either by refusing to admit that they will be targeted or insisting that they already have sufficient protection, SMBs are still largely in denial about the clear fact that a business remains vulnerable as long its website remains unprotected or unmonitored.

Small business owners often aren’t aware of the fluid and dynamic nature of discovering and disclosing vulnerabilities, and how this causes both updated and outdated website platforms to be at risk. According to a spokesperson for the Small Business Administration (SBA), companies that used Web Content Management Systems face even more acute threats, as “at any given time between 70 to 80-percent of users are running outdated versions of WordPress – leading to critical and well documented vulnerabilities.”

An owner of a typical small business site reviews web traffic figures daily, and they are often pleased to notice any increase in volume. However, analysis from multiple independent studies illustrates that an average of seven percent of daily traffic actually consists of hackers exploring and/or exploiting vulnerabilities. That figure is likely even higher for a “small fish” SMB that provides goods and services to a “big fish”– since these SMBs are often used as gateways into the more heavily defended large enterprises.

While DDoS attacks tend to receive some of the more frequent, large-scale press coverage, there are other website attacks that can wreak even more havoc on a small business. The nearly constant stream of application-layer bot attacks is much more common and harder to detect and defend against. “Bad” bots are masquerading as “good” bots such as Google and Bing crawlers – but are actually conducting competitive data mining, account hijacking, and much worse. They affect a business website’s availability, degrade the user experience, and vacuum up proprietary information all while under the radar – potentially eroding consumer trust in a brand.

Small businesses that are hacked often suffer losses of much greater magnitude than their larger counterparts because they lack the established “name recognition” of big companies. Hackers may use a site to host malware, to get around blacklisted IP addresses, which can gravely affect company’s marketing efforts by hurting their search engine rankings on Google, Bing and many others. If a company’s site is detected as compromised, search engines will devalue a domain until its able to rid it of malicious code.

Since mid-2010, attacks targeting small businesses have steadily increased to the point that they now account for about half of all attacks. Despite the high probability of facing a very real cyber-nightmare, the vast majority of small business owners have not made significant progress because they either lack the resources for sufficient defense or have not taken the threat seriously. According to the Small Business Administration cybersecurity portal, owners and staff with IT responsibilities must began to think about how to respond to a sudden loss of control or access to their website platforms. They should prioritize security assets “by conducting penetration tests and then shoring up defenses against the vulnerabilities that are discovered.”

SBA analysts recommend that owners utilize technology that is designed to solve the specific challenges that the business is facing in the cyber arena. “Small businesses should automate as much of their security as they possibly can. If after performing an inventory, customers employ data loss prevention technology to monitor if sensitive information is leaving the organization, they can automate scanning for these types of vulnerabilities,” the organization states.

Technology alone does not equal security, as owners and employees must begin to realize that their websites offer a potentially immense value proposition to hackers. An SMB is definitely not too small to care.

*Updated with reference and link to Cybersecurity Ventures report

About the author: Avi Bartov is co-founder of GamaSec, a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.